This application claims the benefit of Korean Patent Application No. 10-2004-0089167, filed on Nov. 4, 2004, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference.
1. Field of the Invention
The present invention relates to a method and apparatus for providing a security mechanism at a transport layer, and more particularly, to a method and apparatus for providing a security mechanism guaranteeing transparency at a transport layer that provides an application program with security transparency and effectively controls the security transparency by performing encrypting/decrypting at the transport layer of a kernel that transmits/receives all kinds of data.
2. Description of the Related Art
A secure socket layer (SSL) protocol is separately used for an application program such as a web browser in order to protect a transport layer. An SSL server and SSL client installed in each node in a network environment having a server and a client perform encrypting/decrypting and key negotiation between an application layer and the transport layer using an open SSL library, which guarantees a secure communication channel between the server and the client. A transport layer security (TLS) protocol version 1.0 is the latest industry standard SSL protocol.
However, since an application program other than a web-based application needs a separate library in order to provide transport layer-based network security service, it is necessary to correct all existing application programs, and is difficult to control them as well.
A TLS protocol that provides all application programs with a common function and route at the transport layer makes it possible to construct a secure communication channel without any correction of all of the existing application programs, to guarantee perfect security transparency, and to effectively control security transparency at a kernel level.
FIG. 1 is a block diagram of an encrypting/decrypting module and a key exchange module for protecting data at the transport layer. Referring to FIG. 1, in a conventional security mechanism at the transport layer, an encrypting/decrypting module 111 and a key exchange module 112 operate in a socket interface interposed between the application layer and the transport layer below.
First, a manager corrects an application program wishing to use security service, and provides a network having the socket interface that uses the open SSL library. Then, when the application program transmits a user data packet, a TLS module of the socket interface checks the user data packet, the key exchange module 112 exchanges the user data packet with a key exchange module of an object node to negotiate new key information, and stores new key information. Thereafter, the encrypting/decrypting module 111 encrypts the user data packet based on key information, and transmits the encrypted packet.
The convention security mechanism must separately execute all of the application programs in every socket interface.
Referring to FIG. 1, since a separate socket interface is used to execute each of application programs 110, the TLS module has problems of transparency, expansibility, etc., and causes degradation of performance.